Executive Briefings

Nations Seek the Elusive Cure for Cyberattacks

By: The New York Times 01.23.2018

When the "Wannacry" ransomware attack spread across Britain, Japan Russia, Taiwan and places in between last May, it took only a few days for private firms that looked at the code to come to some pretty quick conclusions.

The attack almost certainly came from North Korea. The North Koreans almost certainly used computer code that had leaked from the inner sanctum of the National Security Agency. And the ransomware part was a scam: If you paid off the hackers, your data still wasn’t restored.

Yet it took until October for the British government to identify North Korea as the culprit in an attack that paralyzed its health care system for a few days, and until mid-December for the Trump administration, in a presentation at the White House, to reach that same conclusion.

So what was the penalty for the government in Pyongyang for unleashing a devastating cyberattack? There was none. Nothing. Not even the kind of weak economic sanctions that the Obama administration imposed on the North three years before for its attack on Sony Pictures Entertainment.

“President Trump has used just about every lever you can use, short of starving the people of North Korea, to change their behavior,” Trump’s Homeland Security adviser, Thomas P. Bossert, said when he made the “name and shame” announcement blaming the North. “So we don’t have a lot of room left here to apply pressure.”

Securing the world against cyberattacks — from nations, criminal groups, vandals and teenagers — will be on the agenda when many of the world’s top leaders gather at the World Economic Forum in Davos, Switzerland, this week. As usual, there is a flurry of reports, and entrepreneurs will declare they have technological solutions at hand. But the fact remains that the major powers of the world have been unable to come up with a viable means of deterring the most damaging attacks. It still takes too long to formally identify the culprits, and the responses, as Bossert indicated, are insufficient.

The attack almost certainly came from North Korea. The North Koreans almost certainly used computer code that had leaked from the inner sanctum of the National Security Agency. And the ransomware part was a scam: If you paid off the hackers, your data still wasn’t restored.

Yet it took until October for the British government to identify North Korea as the culprit in an attack that paralyzed its health care system for a few days, and until mid-December for the Trump administration, in a presentation at the White House, to reach that same conclusion.

So what was the penalty for the government in Pyongyang for unleashing a devastating cyberattack? There was none. Nothing. Not even the kind of weak economic sanctions that the Obama administration imposed on the North three years before for its attack on Sony Pictures Entertainment.

“President Trump has used just about every lever you can use, short of starving the people of North Korea, to change their behavior,” Trump’s Homeland Security adviser, Thomas P. Bossert, said when he made the “name and shame” announcement blaming the North. “So we don’t have a lot of room left here to apply pressure.”

Securing the world against cyberattacks — from nations, criminal groups, vandals and teenagers — will be on the agenda when many of the world’s top leaders gather at the World Economic Forum in Davos, Switzerland, this week. As usual, there is a flurry of reports, and entrepreneurs will declare they have technological solutions at hand. But the fact remains that the major powers of the world have been unable to come up with a viable means of deterring the most damaging attacks. It still takes too long to formally identify the culprits, and the responses, as Bossert indicated, are insufficient.